Broadcast networks for pay-tv applications deliver encrypted content to receivers and keys (also known as control words or CWs) associated to the encrypted content to secure devices. A secure device delivers CWs uniquely encrypted to a receiver enabling decryption (also known as descrambling) of the content in the receiver. Examples of a secure device are a smartcard and an obfuscated software client.
The communication channel between the secure device and the receiver is typically secured by encrypting communication with a temporary session key. A shared secret between the secure device and the receiver is used to negotiate the temporary session key. If an attacker obtains the shared secret, it can be used to intercept CWs on the communication channel and redistribute the CWs to other receivers for unauthorized descrambling of the content.
The shared secret is typically stored in a firmware of the receiver. In order to prevent an attacker from obtaining the shared secret, information hiding techniques can be used. Code obfuscation and data transformation are known techniques to make it difficult for an attacker to obtain the shared secret from the receiver firmware.
Attacks to the receiver infrastructure often take the form of placing a modified firmware in a pirate receiver and setting up a secured session with a smartcard using the modified firmware. The shared secret is exploited in the modified firmware to obtain cleartext CWs from the secure session. These cleartext CWs are shared with other receivers also running modified firmware, most of which do not have a smartcard with a valid subscription.